My previous IPv6 network was configured with Astaro – recently I have switched vendor to Fortinet (partly troubleshooting, partly cause I could). Using one of their FortiGate FWs – its been “fun” getting all the functions working that I had on the Astaro – one that was a bit more complex was the IPv6 config. It was pretty much point & click GUI driven on the Astaro, its a lot more CLI driven on the FortiGate.

Im using PPPoE without a static IP – so when my IPv4 ISP connection changes address, it will take out my IPv6 Tunnel – I will try to work out how this needs to be fixed later.

First step is to enable IPv6 in the GUI – most of the tunnel config is going to be done on the CLI, but with the GUI enabled, you can at least manage the addresses / policies easily.

config system global

set gui-ipv6 enable

end

Configure up the tunnel – if you are using he.net (tunnelbroker.net), there is a shortcut you can take.

View your Tunnel Details on their admin page, make sure you set the correct “Client IPv4 Address” to match your current PPoE or other connection. Then click on the tab called “Example Configurations” which allows you to simply select your OS & it populates the changes needed with the correct IP addresses. In this case, FortiGate 4.x

config system sit-tunnel

edit “HE”

set destination 64.62.134.130

set ip6 2001:470:66:288::2/64

set source 121.216.247.8

next

end

config router static6

edit 1

set device “HE”

next

end

Once you have pasted that into the CLI on the FG, check the tunnel comes up & finish the config

Configure some FW policies to allow your internal hosts to browse the IPv6 internet (HTTP/HTTPS/PING6/DNS). You can now use the GUI on the FortiGate to configure your new IPv6 FW rules, just remember to use the “IPv6 Policy” menu, not the standard “Policy” page – as that is your IPv4 traffic.

A note on IPv6 DNS & the FortiGate

After some mucking around & frustration, it was clear that the FortiGate was not advertising DNS to stateless autoconfiguration clients. This meant that I had to configure the IPv6 DNS server manually – hardly a great solution (you can use the one from HE).

I found another couple of config items that seems to fix the issue (I added these to my config above)

set ip6-manage-flag enable

set ip6-other-flag enable

Documentation from Fortinet on this is not great, so I dont know the full impact of these, but it seems to do what I want, as long as your IPv4 DNS server is the Fortigate.

As you can see, I only have an IPv4 nameserver (The FortiGate), but both IPv4 & IPv6 DNS entries are happily being resolved.

Well – its official – I am an IPv6 consumer. I have a public facing IPv6 web & smtp server – and I have passed the requirements of the Hurricane Electric (he.net) IPv6 certification program to the SAGE level – http://ipv6.he.net/certification/

I already had IPv6 through Freenet6 – as I detailed in my previous IPv6 post here so I began the IPv6 certification program, and ran through the first few basic levels.

I can reach the site with IPv6- Check

he.net can reach my IPv6 website – Check

he.net can send me email (had to stand up postfix for this one) – Check

This got me to the Administrator level – anyone with IPv6 connectivity can easily get here – simply have a reachable IPv6 website & mail server.

This is where the fun came in. To get to the next level (Professional) – I needed a working reverse DNS entry for my mailserver. Now while this sounds simple – freenet6 doesnt appear to provide an easy way to configure reverse DNS entries for the IPv6 range they provide you – bummer.

I had exhausted my energy trying to setup reverse DNS with Freenet6, so off to Hurricane Electric I went – seemed a logical choice considering I was doing their certification anyway. Signup was simple & within minutes I had a new IPv6 allocation. They initially allocate a single /64 – but once you have enabled your connection – you can request a /48 – which of course I did.

So – now that I have a new allocation, here is how I configured it on my network.

Minutes later, the /64 range on your tunnelbroker.net account page should appear in the global tab.

A couple of tests later & I confirmed I could ping IPv6 addresses from my Astaro box (example here using the ns2.he.net nameserver address)

I decided to use the inital /64 I was allocated as the range for my Internal hosts, and then break up the /48 into subnets for other zones.

By far the easiest way to use IPv6 is let the “Stateless Auto Configuration” work its magic. It doesnt require DHCP, allows hosts to automatically find the router & get an address – pretty much works as it says on the box.

Simply add an IPv6 address to the FW interface you want to run IPv6 on, then advertise the subnet out.

Suddenly your internal hosts will be getting IPv6 addresses & will be EXTERNALLY REACHABLE <— This is important. Make sure you setup your firewall rules, host protection etc etc. I will not cover this step, but you need to ensure you understand that as soon as your box has an IPv6 address – it is publically routable from the outside world.

Repeat the addition of an IPv6 address (from another /64 subnet – broken up out of your /48 you requested from tunnelbroker.net) to the DMZ interface(s). I am not enabling the “Stateless Auto Configuration” on my DMZ segments, I am just manually assigning addresses to the couple of boxes in there.

Right – that covers the move to Hurricane Electric & how to re-address the internal & DMZ segments.

Next steps are re-addressing my public web & smtp server, updating the DNS forward & reverse zone entries – and what is needed to complete the rest of the certification.

me

otherblogs

podcasts

Hak5 – security podcast
Put together by a band of IT ninjas, security professionals and hardcore gamers, Hak5 isn’t your typical tech show. We take on hacking in the old-school sense, covering everything from network security, open source and forensics, to DIY modding and the ho